OAuth 2.0 Cookbook

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

Buy this Book

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Buy this Book

Overview of this book

OAuth 2.0 is a standard protocol for authorization and focuses on client development simplicity while providing specific authorization flows for web applications, desktop applications, mobile phones, and so on. This book also provides useful recipes for solving real-life problems using Spring Security and creating Android applications. The book starts by presenting you how to interact with some public OAuth 2.0 protected APIs such as Facebook, LinkedIn and Google. You will also be able to implement your own OAuth 2.0 provider with Spring Security OAuth2. Next, the book will cover practical scenarios regarding some important OAuth 2.0 profiles such as Dynamic Client Registration, Token Introspection and how to revoke issued access tokens. You will then be introduced to the usage of JWT, OpenID Connect, and how to safely implement native mobile OAuth 2.0 Clients. By the end of this book, you will be able to ensure that both the server and client are protected against common vulnerabilities.

Title Page

Credits

About the Author

About the Reviewer

www.PacktPub.com

Customer Feedback

Preface

Free Chapter

OAuth 2.0 Foundations

Introduction

Preparing the environment

Reading the user's contacts from Facebook on the client side

Reading the user's contacts from Facebook on the server side

Accessing OAuth 2.0 LinkedIn protected resources

Accessing OAuth 2.0 Google protected resources bound to the user's session

Implementing Your Own OAuth 2.0 Provider

Introduction

Protecting resources using the Authorization Code grant type

Supporting the Implicit grant type

Using the Resource Owner Password Credentials grant type as an approach for OAuth 2.0 migration

Configuring the Client Credentials grant type

Adding support for refresh tokens

Using a relational database to store tokens and client details

Using Redis as a token store

Implementing client registration

Breaking the OAuth 2.0 Provider in the middle

Using Gatling to load test the token validation process using shared databases

Using OAuth 2.0 Protected APIs

Introduction

Creating an OAuth 2.0 client using the Authorization Code grant type

Creating an OAuth 2.0 client using the Implicit grant type

Creating an OAuth 2.0 client using the Resource Owner Password Credentials grant type

Creating an OAuth 2.0 client using the Client Credentials grant type

Managing refresh tokens on the client side

Accessing an OAuth 2.0 protected API with RestTemplate

OAuth 2.0 Profiles

Introduction

Revoking issued tokens

Remote validation using token introspection

Improving performance using cache for remote validation

Using Gatling to load test remote token validation

Dynamic client registration

Self Contained Tokens with JWT

Introduction

Generating access tokens as JWT

Validating JWT tokens at the Resource Server side

Adding custom claims on JWT

Asymmetric signing of a JWT token

Validating asymmetric signed JWT token

Using JWE to cryptographically protect JWT tokens

Using JWE at the Resource Server side

Using proof-of-possession key semantics on OAuth 2.0 Provider

Using proof-of-possession key on the client side

OpenID Connect for Authentication

Introduction

Authenticating Google's users through Google OpenID Connect

Obtaining user information from Identity Provider

Using Facebook to authenticate users

Using Google OpenID Connect with Spring Security 5

Using Microsoft and Google OpenID providers together with Spring Security 5

Implementing Mobile Clients

Introduction

Preparing an Android development environment

Creating an Android OAuth 2.0 client using an Authorization Code with the system browser

Creating an Android OAuth 2.0 client using the Implicit grant type with the system browser

Creating an Android OAuth 2.0 client using the embedded browser

Using the Password grant type for client apps provided by the OAuth 2 server

Protecting an Android client with PKCE

Using dynamic client registration with mobile applications

Avoiding Common Vulnerabilities

Introduction

Validating the Resource Server audience

Protecting Resource Server with scope validation

Binding scopes with user roles to protect user's resources

Protecting the client against Authorization Code injection

Protecting the Authorization Server from invalid redirection

Index

Customer Reviews

5 star

4 star

3 star

2 star

1 star

Binding scopes with user roles to protect user's resources

By using scopes we can add fine-grained protection to the user's resources. Spring Security also provides the concept of roles which can be interchangeable with scopes defined by Spring Security OAuth2. As explained by Dave Syer (leader of the Spring Securit OAuth2 project), roles and scopes are just arbitrary strings that might be considered as the same thing (you can read more about this explanation at https://stackoverflow.com/questions/22417780/using-scopes-as-roles-in-spring-security-oauth2-provider). This recipe presents you with how to bind scopes that are available for some client details with the roles that a Resource Owner might have. In this case, the Resource Owner would be able to approve scopes that are related to her roles.

Getting ready

To run this recipe, you will need Java 8, Maven, Spring Web, and Spring security. To ease the project creation step, use Spring Initializr at http://start.spring.io/ and define the dependencies...

OAuth 2.0 Cookbook

By : Adolfo Eloy Nascimento

OAuth 2.0 Cookbook

By: Adolfo Eloy Nascimento

Overview of this book

Related Content you might be interested in

Current Title:

OAuth 2.0 Cookbook

Hands-On Spring Security 5 for Reactive Applications

Spring 5.0 Projects

Spring Security

Binding scopes with user roles to protect user's resources

Getting ready